CVE-2026-1963 – This CVE describes an improper access control v... (How to Fix)

Q: What is the severity of CVE-2026-1963?

CVE-2026-1963 has a CVSS score of 6.3 (MEDIUM). This CVE describes an improper access control vulnerability in WeKan's attachment storage component. Attackers can remotely exploit this to access or manipulate attachments they shouldn't have permission to view. All WeKan instances up to version 8.20 are affected.

📋 TL;DR

This CVE describes an improper access control vulnerability in WeKan's attachment storage component. Attackers can remotely exploit this to access or manipulate attachments they shouldn't have permission to view. All WeKan instances up to version 8.20 are affected.

💻 Affected Systems

Products:

WeKan

Versions: Up to and including version 8.20

Operating Systems: All platforms running WeKan

Default Config Vulnerable: ⚠️ Yes

Notes: All WeKan deployments using the affected attachment storage component are vulnerable regardless of configuration.

📦 What is this software?

Wekan by Wekan Project

View all CVEs affecting Wekan →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthorized access to sensitive attachments containing confidential data, potentially leading to data breach or privilege escalation.

🟠

Likely Case

Unauthorized viewing or downloading of attachments from boards where the attacker lacks proper permissions.

🟢

If Mitigated

Minimal impact with proper network segmentation and access controls limiting exposure.

🌐 Internet-Facing: HIGH - Attack can be launched remotely without authentication, making internet-facing instances particularly vulnerable.

🏢 Internal Only: MEDIUM - Internal attackers or compromised accounts could exploit this to access restricted attachments.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability allows remote exploitation and manipulation of attachments through improper access controls in the models/attachments.js file.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.21

Vendor Advisory: https://github.com/wekan/wekan/releases/tag/v8.21

Restart Required: Yes

Instructions:

1. Backup your WeKan data and configuration
2. Stop the WeKan service
3. Update to WeKan version 8.21 or later
4. Restart the WeKan service
5. Verify the update was successful

🔧 Temporary Workarounds

Disable Attachment Uploads

all

Temporarily disable attachment functionality to prevent exploitation

Modify WeKan configuration to disable ATTACHMENTS_STORE_PATH or set ATTACHMENTS_ENABLED=false

Network Segmentation

all

Restrict network access to WeKan instance

Configure firewall rules to limit access to trusted IPs only

🧯 If You Can't Patch

Implement strict network access controls to limit exposure to trusted users only
Monitor attachment access logs for suspicious activity and implement alerting

🔍 How to Verify

Check if Vulnerable:

Check WeKan version via admin interface or by examining the running container/process. Versions 8.20 and below are vulnerable.

Check Version:

Check WeKan admin dashboard or run: docker inspect wekan/wekan | grep WEKAN_VERSION or check package.json in installation directory

Verify Fix Applied:

Verify version is 8.21 or higher and check that commit c413a7e860bc4d93fe2adcf82516228570bf382d is present in the installation.

📡 Detection & Monitoring

Log Indicators:

Unusual attachment access patterns
Access to attachments from unauthorized users or IPs
Failed access attempts to restricted attachments

Network Indicators:

Unusual traffic to attachment endpoints from unexpected sources
Multiple rapid requests to /api/attachments/ endpoints

SIEM Query:

source="wekan" AND (uri_path="/api/attachments/*" OR event="attachment_access") AND (user NOT IN authorized_users OR src_ip NOT IN trusted_networks)

📊 Metadata

CVE ID: CVE-2026-1963

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-266

EPSS Score: 0.02% exploit probability (3.1th percentile)

Published: February 5, 2026

Last Updated: March 6, 2026

🔗 References

https://github.com/wekan/wekan/ Product
https://github.com/wekan/wekan/commit/c413a7e860bc4d93fe2adcf82516228570bf382d Patch
https://github.com/wekan/wekan/releases/tag/v8.21 Product,Release Notes
https://vuldb.com/?ctiid.344485 Permissions Required,VDB Entry
https://vuldb.com/?id.344485 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.742678 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-1963, you might also want to check these: